Bing Yuan

1. Client-Side Honeypots
Bing Yuan
Department of Computer Science
RWTH Aachen
April 26, 2007

2. Overview
Motivation
The Client-Side Honeypot
The CHP System
Attack Patterns
Future Works

3. Overview
Motivation
The Client-Side Honeypot
The CHP System
Attack Patterns
Future Works

4. Overview
Motivation
The Client-Side Honeypot
The CHP System
Attack Patterns
Future Works

5. Overview
Motivation
The Client-Side Honeypot
The CHP System
Attack Patterns
Future Works

6. Overview
Motivation
The Client-Side Honeypot
The CHP System
Attack Patterns
Future Works

7. Motivation
The Client-Side Honeypot
Client-side exploits grow very fast
The CHP System
Traditional methodology is inadequate
Attack Patterns
Future works
Problems
client-side exploit means exploiting client-side software’s
vulnerabilities
computers can be infected by simply browsing web pages or
opening emails
about 90% of PCs connected to the internet are infected with
spyware in 2006 (www.webroot.com)
Bing Yuan Client-Side Honeypots

8. Motivation
The Client-Side Honeypot
Client-side exploits grow very fast
The CHP System
Traditional methodology is inadequate
Attack Patterns
Future works
Problems
client-side exploit means exploiting client-side software’s
vulnerabilities
computers can be infected by simply browsing web pages or
opening emails
about 90% of PCs connected to the internet are infected with
spyware in 2006 (www.webroot.com)
Bing Yuan Client-Side Honeypots

9. Motivation
The Client-Side Honeypot
Client-side exploits grow very fast
The CHP System
Traditional methodology is inadequate
Attack Patterns
Future works
Problems
client-side exploit means exploiting client-side software’s
vulnerabilities
computers can be infected by simply browsing web pages or
opening emails
about 90% of PCs connected to the internet are infected with
spyware in 2006 (www.webroot.com)
Bing Yuan Client-Side Honeypots

10. Motivation
The Client-Side Honeypot
Client-side exploits grow very fast
The CHP System
Traditional methodology is inadequate
Attack Patterns
Future works
Analysis
client-side softwares are wide-spread:
web browsers, email clients, ...
client-side softwares have many vulnerabilities:
Microsoft Security Bulletin Search: IE, OE, ...
Mozilla Foundation Security Advisory: Firefox, Thunderbird, ...
Bing Yuan Client-Side Honeypots

11. Motivation
The Client-Side Honeypot
Client-side exploits grow very fast
The CHP System
Traditional methodology is inadequate
Attack Patterns
Future works
Analysis
client-side softwares are wide-spread:
web browsers, email clients, ...
client-side softwares have many vulnerabilities:
Microsoft Security Bulletin Search: IE, OE, ...
Mozilla Foundation Security Advisory: Firefox, Thunderbird, ...
Bing Yuan Client-Side Honeypots

12. Motivation
The Client-Side Honeypot
Client-side exploits grow very fast
The CHP System
Traditional methodology is inadequate
Attack Patterns
Future works
Analysis
client-side softwares are wide-spread:
web browsers, email clients, ...
client-side softwares have many vulnerabilities:
Microsoft Security Bulletin Search: IE, OE, ...
Mozilla Foundation Security Advisory: Firefox, Thunderbird, ...
Bing Yuan Client-Side Honeypots

13. Motivation
The Client-Side Honeypot
Client-side exploits grow very fast
The CHP System
Traditional methodology is inadequate
Attack Patterns
Future works
Analysis
client-side softwares are wide-spread:
web browsers, email clients, ...
client-side softwares have many vulnerabilities:
Microsoft Security Bulletin Search: IE, OE, ...
Mozilla Foundation Security Advisory: Firefox, Thunderbird, ...
Bing Yuan Client-Side Honeypots

14. Motivation
The Client-Side Honeypot
Client-side exploits grow very fast
The CHP System
Traditional methodology is inadequate
Attack Patterns
Future works
anti-malware softwares are all reactive
traditional honeypots focus on server-side attacks
we need proactively to handle the client-side attacks
Bing Yuan Client-Side Honeypots

15. Motivation
The Client-Side Honeypot
Client-side exploits grow very fast
The CHP System
Traditional methodology is inadequate
Attack Patterns
Future works
anti-malware softwares are all reactive
traditional honeypots focus on server-side attacks
we need proactively to handle the client-side attacks
Bing Yuan Client-Side Honeypots

16. Motivation
The Client-Side Honeypot
Client-side exploits grow very fast
The CHP System
Traditional methodology is inadequate
Attack Patterns
Future works
anti-malware softwares are all reactive
traditional honeypots focus on server-side attacks
we need proactively to handle the client-side attacks
Bing Yuan Client-Side Honeypots

17. Motivation
The Client-Side Honeypot Overview
The CHP System Classification
Attack Patterns Client-side honeypot projects
Future works
Definition
The client-side honeypot is one trap computer which simulates or
drives the client-side softwares to actively and automatically search
for attacks, record system activities and judge which system
activities are malicious for better knowing about client-side attack
patterns.
Bing Yuan Client-Side Honeypots

18. Motivation
The Client-Side Honeypot Overview
The CHP System Classification
Attack Patterns Client-side honeypot projects
Future works
Characteristics
client-side: it simulates/drives client-side software and does
not provide services
active: because it can not lure attacks, it must actively search
for attacks
automatic: because huge resource should be visited,
client-side honeypot’s tasks must be automated
identify: it must can judge which system activities are normal
and which are malicious
Bing Yuan Client-Side Honeypots

19. Motivation
The Client-Side Honeypot Overview
The CHP System Classification
Attack Patterns Client-side honeypot projects
Future works
Characteristics
client-side: it simulates/drives client-side software and does
not provide services
active: because it can not lure attacks, it must actively search
for attacks
automatic: because huge resource should be visited,
client-side honeypot’s tasks must be automated
identify: it must can judge which system activities are normal
and which are malicious
Bing Yuan Client-Side Honeypots

20. Motivation
The Client-Side Honeypot Overview
The CHP System Classification
Attack Patterns Client-side honeypot projects
Future works
Characteristics
client-side: it simulates/drives client-side software and does
not provide services
active: because it can not lure attacks, it must actively search
for attacks
automatic: because huge resource should be visited,
client-side honeypot’s tasks must be automated
identify: it must can judge which system activities are normal
and which are malicious
Bing Yuan Client-Side Honeypots

21. Motivation
The Client-Side Honeypot Overview
The CHP System Classification
Attack Patterns Client-side honeypot projects
Future works
Characteristics
client-side: it simulates/drives client-side software and does
not provide services
active: because it can not lure attacks, it must actively search
for attacks
automatic: because huge resource should be visited,
client-side honeypot’s tasks must be automated
identify: it must can judge which system activities are normal
and which are malicious
Bing Yuan Client-Side Honeypots

22. Motivation
The Client-Side Honeypot Overview
The CHP System Classification
Attack Patterns Client-side honeypot projects
Future works
Classification
high-interaction and low interaction
according to the development technologies:
integrity control: take two snapshots of the system before and
after crawling, then compare these two snapshots to judge if
the system integrity is changed
real-time monitoring: during the crawling we intercept
important system calls and record the system activities caused
by these system calls using hook technologies
more efficient: it does not need system snapshots
more precise: every important system calls are intercepted
Bing Yuan Client-Side Honeypots

23. Motivation
The Client-Side Honeypot Overview
The CHP System Classification
Attack Patterns Client-side honeypot projects
Future works
Classification
high-interaction and low interaction
according to the development technologies:
integrity control: take two snapshots of the system before and
after crawling, then compare these two snapshots to judge if
the system integrity is changed
real-time monitoring: during the crawling we intercept
important system calls and record the system activities caused
by these system calls using hook technologies
more efficient: it does not need system snapshots
more precise: every important system calls are intercepted
Bing Yuan Client-Side Honeypots

24. Motivation
The Client-Side Honeypot Overview
The CHP System Classification
Attack Patterns Client-side honeypot projects
Future works
Classification
high-interaction and low interaction
according to the development technologies:
integrity control: take two snapshots of the system before and
after crawling, then compare these two snapshots to judge if
the system integrity is changed
real-time monitoring: during the crawling we intercept
important system calls and record the system activities caused
by these system calls using hook technologies
more efficient: it does not need system snapshots
more precise: every important system calls are intercepted
Bing Yuan Client-Side Honeypots

25. Motivation
The Client-Side Honeypot Overview
The CHP System Classification
Attack Patterns Client-side honeypot projects
Future works
Classification
high-interaction and low interaction
according to the development technologies:
integrity control: take two snapshots of the system before and
after crawling, then compare these two snapshots to judge if
the system integrity is changed
real-time monitoring: during the crawling we intercept
important system calls and record the system activities caused
by these system calls using hook technologies
more efficient: it does not need system snapshots
more precise: every important system calls are intercepted
Bing Yuan Client-Side Honeypots

26. Motivation
The Client-Side Honeypot Overview
The CHP System Classification
Attack Patterns Client-side honeypot projects
Future works
Classification
high-interaction and low interaction
according to the development technologies:
integrity control: take two snapshots of the system before and
after crawling, then compare these two snapshots to judge if
the system integrity is changed
real-time monitoring: during the crawling we intercept
important system calls and record the system activities caused
by these system calls using hook technologies
more efficient: it does not need system snapshots
more precise: every important system calls are intercepted
Bing Yuan Client-Side Honeypots

27. Motivation
The Client-Side Honeypot Overview
The CHP System Classification
Attack Patterns Client-side honeypot projects
Future works
Classification
high-interaction and low interaction
according to the development technologies:
integrity control: take two snapshots of the system before and
after crawling, then compare these two snapshots to judge if
the system integrity is changed
real-time monitoring: during the crawling we intercept
important system calls and record the system activities caused
by these system calls using hook technologies
more efficient: it does not need system snapshots
more precise: every important system calls are intercepted
Bing Yuan Client-Side Honeypots

28. Motivation
The Client-Side Honeypot Overview
The CHP System Classification
Attack Patterns Client-side honeypot projects
Future works
Client-side honeypot projects (1)
HoneyC: low-interaction client-side honeypot developed by
Christian Seifert in 2006, platform independent open source
framework written in Ruby
drive visitor component like web browser simulator to visit web
servers
use analysis engine to determine if the system’s security
policies are violated
Capture-HPC: high-interaction client-side honeypot developed
by many researchers using Java and C at Victoria University
of Wellington
capture server is responsible for controlling capture clients
capture client is responsible for recording the system activities
in real-time
Bing Yuan Client-Side Honeypots

29. Motivation
The Client-Side Honeypot Overview
The CHP System Classification
Attack Patterns Client-side honeypot projects
Future works
Client-side honeypot projects (1)
HoneyC: low-interaction client-side honeypot developed by
Christian Seifert in 2006, platform independent open source
framework written in Ruby
drive visitor component like web browser simulator to visit web
servers
use analysis engine to determine if the system’s security
policies are violated
Capture-HPC: high-interaction client-side honeypot developed
by many researchers using Java and C at Victoria University
of Wellington
capture server is responsible for controlling capture clients
capture client is responsible for recording the system activities
in real-time
Bing Yuan Client-Side Honeypots

30. Motivation
The Client-Side Honeypot Overview
The CHP System Classification
Attack Patterns Client-side honeypot projects
Future works
Client-side honeypot projects (1)
HoneyC: low-interaction client-side honeypot developed by
Christian Seifert in 2006, platform independent open source
framework written in Ruby
drive visitor component like web browser simulator to visit web
servers
use analysis engine to determine if the system’s security
policies are violated
Capture-HPC: high-interaction client-side honeypot developed
by many researchers using Java and C at Victoria University
of Wellington
capture server is responsible for controlling capture clients
capture client is responsible for recording the system activities
in real-time
Bing Yuan Client-Side Honeypots

31. Motivation
The Client-Side Honeypot Overview
The CHP System Classification
Attack Patterns Client-side honeypot projects
Future works
Client-side honeypot projects (1)
HoneyC: low-interaction client-side honeypot developed by
Christian Seifert in 2006, platform independent open source
framework written in Ruby
drive visitor component like web browser simulator to visit web
servers
use analysis engine to determine if the system’s security
policies are violated
Capture-HPC: high-interaction client-side honeypot developed
by many researchers using Java and C at Victoria University
of Wellington
capture server is responsible for controlling capture clients
capture client is responsible for recording the system activities
in real-time
Bing Yuan Client-Side Honeypots

32. Motivation
The Client-Side Honeypot Overview
The CHP System Classification
Attack Patterns Client-side honeypot projects
Future works
Client-side honeypot projects (1)
HoneyC: low-interaction client-side honeypot developed by
Christian Seifert in 2006, platform independent open source
framework written in Ruby
drive visitor component like web browser simulator to visit web
servers
use analysis engine to determine if the system’s security
policies are violated
Capture-HPC: high-interaction client-side honeypot developed
by many researchers using Java and C at Victoria University
of Wellington
capture server is responsible for controlling capture clients
capture client is responsible for recording the system activities
in real-time
Bing Yuan Client-Side Honeypots

33. Motivation
The Client-Side Honeypot Overview
The CHP System Classification
Attack Patterns Client-side honeypot projects
Future works
Client-side honeypot projects (1)
HoneyC: low-interaction client-side honeypot developed by
Christian Seifert in 2006, platform independent open source
framework written in Ruby
drive visitor component like web browser simulator to visit web
servers
use analysis engine to determine if the system’s security
policies are violated
Capture-HPC: high-interaction client-side honeypot developed
by many researchers using Java and C at Victoria University
of Wellington
capture server is responsible for controlling capture clients
capture client is responsible for recording the system activities
in real-time
Bing Yuan Client-Side Honeypots

34. Motivation
The Client-Side Honeypot Overview
The CHP System Classification
Attack Patterns Client-side honeypot projects
Future works
Client-side honeypot projects (2)
Honeyclient: the first open source high-interaction client-side
honeypot developed by Kathy Wang using Perl in early 2005
establish two baselines of system files and registry entries
before and after visiting one whole domain
compare these two baselines to find integrity changes
HoneyMonkey System: short for Strider HoneyMonkey Exploit
Detection System and was developed by Microsoft in 2005,
first high-interaction client-side honeypot system which found
0-day exploit
execute one web browser instance for each malicious URL and
wait for some minutes
in the meantime it will record and analyse the system activities
pipeline of virtual machines with different patch levels
Bing Yuan Client-Side Honeypots

35. Motivation
The Client-Side Honeypot Overview
The CHP System Classification
Attack Patterns Client-side honeypot projects
Future works
Client-side honeypot projects (2)
Honeyclient: the first open source high-interaction client-side
honeypot developed by Kathy Wang using Perl in early 2005
establish two baselines of system files and registry entries
before and after visiting one whole domain
compare these two baselines to find integrity changes
HoneyMonkey System: short for Strider HoneyMonkey Exploit
Detection System and was developed by Microsoft in 2005,
first high-interaction client-side honeypot system which found
0-day exploit
execute one web browser instance for each malicious URL and
wait for some minutes
in the meantime it will record and analyse the system activities
pipeline of virtual machines with different patch levels
Bing Yuan Client-Side Honeypots

36. Motivation
The Client-Side Honeypot Overview
The CHP System Classification
Attack Patterns Client-side honeypot projects
Future works
Client-side honeypot projects (2)
Honeyclient: the first open source high-interaction client-side
honeypot developed by Kathy Wang using Perl in early 2005
establish two baselines of system files and registry entries
before and after visiting one whole domain
compare these two baselines to find integrity changes
HoneyMonkey System: short for Strider HoneyMonkey Exploit
Detection System and was developed by Microsoft in 2005,
first high-interaction client-side honeypot system which found
0-day exploit
execute one web browser instance for each malicious URL and
wait for some minutes
in the meantime it will record and analyse the system activities
pipeline of virtual machines with different patch levels
Bing Yuan Client-Side Honeypots

37. Motivation
The Client-Side Honeypot Overview
The CHP System Classification
Attack Patterns Client-side honeypot projects
Future works
Client-side honeypot projects (2)
Honeyclient: the first open source high-interaction client-side
honeypot developed by Kathy Wang using Perl in early 2005
establish two baselines of system files and registry entries
before and after visiting one whole domain
compare these two baselines to find integrity changes
HoneyMonkey System: short for Strider HoneyMonkey Exploit
Detection System and was developed by Microsoft in 2005,
first high-interaction client-side honeypot system which found
0-day exploit
execute one web browser instance for each malicious URL and
wait for some minutes
in the meantime it will record and analyse the system activities
pipeline of virtual machines with different patch levels
Bing Yuan Client-Side Honeypots

38. Motivation
The Client-Side Honeypot Overview
The CHP System Classification
Attack Patterns Client-side honeypot projects
Future works
Client-side honeypot projects (2)
Honeyclient: the first open source high-interaction client-side
honeypot developed by Kathy Wang using Perl in early 2005
establish two baselines of system files and registry entries
before and after visiting one whole domain
compare these two baselines to find integrity changes
HoneyMonkey System: short for Strider HoneyMonkey Exploit
Detection System and was developed by Microsoft in 2005,
first high-interaction client-side honeypot system which found
0-day exploit
execute one web browser instance for each malicious URL and
wait for some minutes
in the meantime it will record and analyse the system activities
pipeline of virtual machines with different patch levels
Bing Yuan Client-Side Honeypots

39. Motivation
The Client-Side Honeypot Overview
The CHP System Classification
Attack Patterns Client-side honeypot projects
Future works
Client-side honeypot projects (2)
Honeyclient: the first open source high-interaction client-side
honeypot developed by Kathy Wang using Perl in early 2005
establish two baselines of system files and registry entries
before and after visiting one whole domain
compare these two baselines to find integrity changes
HoneyMonkey System: short for Strider HoneyMonkey Exploit
Detection System and was developed by Microsoft in 2005,
first high-interaction client-side honeypot system which found
0-day exploit
execute one web browser instance for each malicious URL and
wait for some minutes
in the meantime it will record and analyse the system activities
pipeline of virtual machines with different patch levels
Bing Yuan Client-Side Honeypots

40. Motivation
The Client-Side Honeypot Overview
The CHP System Classification
Attack Patterns Client-side honeypot projects
Future works
Client-side honeypot projects (2)
Honeyclient: the first open source high-interaction client-side
honeypot developed by Kathy Wang using Perl in early 2005
establish two baselines of system files and registry entries
before and after visiting one whole domain
compare these two baselines to find integrity changes
HoneyMonkey System: short for Strider HoneyMonkey Exploit
Detection System and was developed by Microsoft in 2005,
first high-interaction client-side honeypot system which found
0-day exploit
execute one web browser instance for each malicious URL and
wait for some minutes
in the meantime it will record and analyse the system activities
pipeline of virtual machines with different patch levels
Bing Yuan Client-Side Honeypots

41. Motivation
The Client-Side Honeypot Overview
The CHP System The CI
Attack Patterns The CWSandbox
Future works
Overview
the goal: implement one system which can determine if
clicking on one weblink will cause system’s activities, if yes,
judge if these activities are normal or malicious, when
malicious, further research the URLs which cause the
malicious activities to gain knowledge about client-side attack
patterns
the CHP system is one high-interaction client-side honeypot
and contains CI(Crawl and Identify) developed by me using
C++ and CWSandbox developed by Carsten Willems using
Delphi, it runs on Windows XP/2000
Bing Yuan Client-Side Honeypots

42. Motivation
The Client-Side Honeypot Overview
The CHP System The CI
Attack Patterns The CWSandbox
Future works
Overview
the goal: implement one system which can determine if
clicking on one weblink will cause system’s activities, if yes,
judge if these activities are normal or malicious, when
malicious, further research the URLs which cause the
malicious activities to gain knowledge about client-side attack
patterns
the CHP system is one high-interaction client-side honeypot
and contains CI(Crawl and Identify) developed by me using
C++ and CWSandbox developed by Carsten Willems using
Delphi, it runs on Windows XP/2000
Bing Yuan Client-Side Honeypots

43. Motivation
The Client-Side Honeypot Overview
The CHP System The CI
Attack Patterns The CWSandbox
Future works
Which system activities should be controlled
files: created, deleted, modified files
registry entries: created, deleted, modified
keys/data/values
processes: opened, created, terminated processes
network connections: malicious network connections
memory: ultimate goal of system control, because most
malwares leave traces in the memory, but it is not easy to be
implemented
Bing Yuan Client-Side Honeypots

44. Motivation
The Client-Side Honeypot Overview
The CHP System The CI
Attack Patterns The CWSandbox
Future works
Which system activities should be controlled
files: created, deleted, modified files
registry entries: created, deleted, modified
keys/data/values
processes: opened, created, terminated processes
network connections: malicious network connections
memory: ultimate goal of system control, because most
malwares leave traces in the memory, but it is not easy to be
implemented
Bing Yuan Client-Side Honeypots

45. Motivation
The Client-Side Honeypot Overview
The CHP System The CI
Attack Patterns The CWSandbox
Future works
Which system activities should be controlled
files: created, deleted, modified files
registry entries: created, deleted, modified
keys/data/values
processes: opened, created, terminated processes
network connections: malicious network connections
memory: ultimate goal of system control, because most
malwares leave traces in the memory, but it is not easy to be
implemented
Bing Yuan Client-Side Honeypots

46. Motivation
The Client-Side Honeypot Overview
The CHP System The CI
Attack Patterns The CWSandbox
Future works
Which system activities should be controlled
files: created, deleted, modified files
registry entries: created, deleted, modified
keys/data/values
processes: opened, created, terminated processes
network connections: malicious network connections
memory: ultimate goal of system control, because most
malwares leave traces in the memory, but it is not easy to be
implemented
Bing Yuan Client-Side Honeypots

47. Motivation
The Client-Side Honeypot Overview
The CHP System The CI
Attack Patterns The CWSandbox
Future works
Which system activities should be controlled
files: created, deleted, modified files
registry entries: created, deleted, modified
keys/data/values
processes: opened, created, terminated processes
network connections: malicious network connections
memory: ultimate goal of system control, because most
malwares leave traces in the memory, but it is not easy to be
implemented
Bing Yuan Client-Side Honeypots

48. Motivation
The Client-Side Honeypot Overview
The CHP System The CI
Attack Patterns The CWSandbox
Future works
Schema
Bing Yuan Client-Side Honeypots

49. Motivation
The Client-Side Honeypot Overview
The CHP System The CI
Attack Patterns The CWSandbox
Future works
The GUI of CI
Bing Yuan Client-Side Honeypots

50. Motivation
The Client-Side Honeypot Overview
The CHP System The CI
Attack Patterns The CWSandbox
Future works
The crawling part
How to build URL-list?
the first 100 search results (URLs)
blacklist which contains known malicious URLs
extract URLs from the email body
extract URLs from the crawled webpages
the malicious URLs we indentified after one execution
Bing Yuan Client-Side Honeypots

51. Motivation
The Client-Side Honeypot Overview
The CHP System The CI
Attack Patterns The CWSandbox
Future works
The crawling part
How to build URL-list?
the first 100 search results (URLs)
blacklist which contains known malicious URLs
extract URLs from the email body
extract URLs from the crawled webpages
the malicious URLs we indentified after one execution
Bing Yuan Client-Side Honeypots

52. Motivation
The Client-Side Honeypot Overview
The CHP System The CI
Attack Patterns The CWSandbox
Future works
The crawling part
How to build URL-list?
the first 100 search results (URLs)
blacklist which contains known malicious URLs
extract URLs from the email body
extract URLs from the crawled webpages
the malicious URLs we indentified after one execution
Bing Yuan Client-Side Honeypots

53. Motivation
The Client-Side Honeypot Overview
The CHP System The CI
Attack Patterns The CWSandbox
Future works
The crawling part
How to build URL-list?
the first 100 search results (URLs)
blacklist which contains known malicious URLs
extract URLs from the email body
extract URLs from the crawled webpages
the malicious URLs we indentified after one execution
Bing Yuan Client-Side Honeypots

54. Motivation
The Client-Side Honeypot Overview
The CHP System The CI
Attack Patterns The CWSandbox
Future works
The crawling part
How to build URL-list?
the first 100 search results (URLs)
blacklist which contains known malicious URLs
extract URLs from the email body
extract URLs from the crawled webpages
the malicious URLs we indentified after one execution
Bing Yuan Client-Side Honeypots

55. Motivation
The Client-Side Honeypot Overview
The CHP System The CI
Attack Patterns The CWSandbox
Future works
Crawling parameters
breadth: how many weblinks in one webpage we want to click
on
depth: how many layers we want to visit, for example if the
depth equals two, then the current webpage is the zero layer,
we click on the weblinks at the zero layer to go to the first
layer, then go to the second layer by clicking on the weblinks
at the first layer
length: time length between visiting two URLs
Bing Yuan Client-Side Honeypots

56. Motivation
The Client-Side Honeypot Overview
The CHP System The CI
Attack Patterns The CWSandbox
Future works
Crawling parameters
breadth: how many weblinks in one webpage we want to click
on
depth: how many layers we want to visit, for example if the
depth equals two, then the current webpage is the zero layer,
we click on the weblinks at the zero layer to go to the first
layer, then go to the second layer by clicking on the weblinks
at the first layer
length: time length between visiting two URLs
Bing Yuan Client-Side Honeypots

57. Motivation
The Client-Side Honeypot Overview
The CHP System The CI
Attack Patterns The CWSandbox
Future works
Crawling parameters
breadth: how many weblinks in one webpage we want to click
on
depth: how many layers we want to visit, for example if the
depth equals two, then the current webpage is the zero layer,
we click on the weblinks at the zero layer to go to the first
layer, then go to the second layer by clicking on the weblinks
at the first layer
length: time length between visiting two URLs
Bing Yuan Client-Side Honeypots

58. Motivation
The Client-Side Honeypot Overview
The CHP System The CI
Attack Patterns The CWSandbox
Future works
Layers
Breadth = 3, Depth = 2
Bing Yuan Client-Side Honeypots

59. Motivation
The Client-Side Honeypot Overview
The CHP System The CI
Attack Patterns The CWSandbox
Future works
Computing
The numbers of the URLs to visit =
breadth0 + breadth1 + breadth2 + ... + breadthdepth
The time we need for one crawling (in secondes) =
((The numbers of the URLs to visit) − 1) × length
Bing Yuan Client-Side Honeypots

60. Motivation
The Client-Side Honeypot Overview
The CHP System The CI
Attack Patterns The CWSandbox
Future works
The identify part
after crawling and hooking, namely real-time monitoring, we
get ”analysis.xml” which contains all important activities
caused by visiting URLs
activity = action + filepath + filename
parse this XML file and identify malicious activities using filter
patterns
Bing Yuan Client-Side Honeypots

61. Motivation
The Client-Side Honeypot Overview
The CHP System The CI
Attack Patterns The CWSandbox
Future works
The identify part
after crawling and hooking, namely real-time monitoring, we
get ”analysis.xml” which contains all important activities
caused by visiting URLs
activity = action + filepath + filename
parse this XML file and identify malicious activities using filter
patterns
Bing Yuan Client-Side Honeypots

62. Motivation
The Client-Side Honeypot Overview
The CHP System The CI
Attack Patterns The CWSandbox
Future works
The identify part
after crawling and hooking, namely real-time monitoring, we
get ”analysis.xml” which contains all important activities
caused by visiting URLs
activity = action + filepath + filename
parse this XML file and identify malicious activities using filter
patterns
Bing Yuan Client-Side Honeypots

63. Motivation
The Client-Side Honeypot Overview
The CHP System The CI
Attack Patterns The CWSandbox
Future works
Filter patterns (1)
Activity Filter Patterns
File’s activity not contains ”Temporary Internet Files”
Registry’s activity contains ”Browser Helper Objects”
contains ”CurrentVersionRun”
contains ”CurrentVersionRunOnce”
contains ”CurrentVersionRunServices”
contains ”CurrentVersionRunServicesOnce”
contains ”Internet ExplorerToolbar”
contains ”Search Assistent”
contains ”Search Bar”
contains ”Search Page”
contains ”Start Page”
Bing Yuan Client-Side Honeypots

64. Motivation
The Client-Side Honeypot Overview
The CHP System The CI
Attack Patterns The CWSandbox
Future works
Filter patterns (2)
Activity Filter Patterns
contains ”Startup Folder”
contains ”Hosts”
contains ”CurrentVersionWinLogon”
contains ”CurrentControlSetServices”
contains ”CurrentControlSetControl”
contains ”ShellOpenCommand”
contains ”ShellExecuteHooks”
Process create or terminate activities
Ini-file’s activity contains ”win.ini” and ”run” and ”load”
contains ”system.ini” and ”load” and ”shell”
Winsock every crawled URL
Bing Yuan Client-Side Honeypots

65. Motivation
The Client-Side Honeypot Overview
The CHP System The CI
Attack Patterns The CWSandbox
Future works
Introduction
the CWSandbox can automatically analyse the malware’s
behaviours by running the malwares and intercepting all
important calls to the Windows API which will cause
correspondent system activities
the CWSandbox uses hook technologies, hooking one function
means the interception of calls to this function by some other
function called hook
finally it will generate one summarized report
Bing Yuan Client-Side Honeypots

66. Motivation
The Client-Side Honeypot Overview
The CHP System The CI
Attack Patterns The CWSandbox
Future works
Introduction
the CWSandbox can automatically analyse the malware’s
behaviours by running the malwares and intercepting all
important calls to the Windows API which will cause
correspondent system activities
the CWSandbox uses hook technologies, hooking one function
means the interception of calls to this function by some other
function called hook
finally it will generate one summarized report
Bing Yuan Client-Side Honeypots

67. Motivation
The Client-Side Honeypot Overview
The CHP System The CI
Attack Patterns The CWSandbox
Future works
Introduction
the CWSandbox can automatically analyse the malware’s
behaviours by running the malwares and intercepting all
important calls to the Windows API which will cause
correspondent system activities
the CWSandbox uses hook technologies, hooking one function
means the interception of calls to this function by some other
function called hook
finally it will generate one summarized report
Bing Yuan Client-Side Honeypots

68. Motivation
The Client-Side Honeypot Overview
The CHP System The CI
Attack Patterns The CWSandbox
Future works
The Integration of CI and CWSandbox
the CWSandbox drives one IE instance as malware which can
be captured by the CI
the CI continuously crawls the URLs from the URL list using
this IE instance
in the meantime the system activities caused by visiting these
URLs are recorded by CWSandbox
the CWSandbox generates one summarized report of the
system activities
the identify part of the CI parses and analyse this report to
judge which activities are malicious
Bing Yuan Client-Side Honeypots

69. Motivation
The Client-Side Honeypot Overview
The CHP System The CI
Attack Patterns The CWSandbox
Future works
The Integration of CI and CWSandbox
the CWSandbox drives one IE instance as malware which can
be captured by the CI
the CI continuously crawls the URLs from the URL list using
this IE instance
in the meantime the system activities caused by visiting these
URLs are recorded by CWSandbox
the CWSandbox generates one summarized report of the
system activities
the identify part of the CI parses and analyse this report to
judge which activities are malicious
Bing Yuan Client-Side Honeypots

70. Motivation
The Client-Side Honeypot Overview
The CHP System The CI
Attack Patterns The CWSandbox
Future works
The Integration of CI and CWSandbox
the CWSandbox drives one IE instance as malware which can
be captured by the CI
the CI continuously crawls the URLs from the URL list using
this IE instance
in the meantime the system activities caused by visiting these
URLs are recorded by CWSandbox
the CWSandbox generates one summarized report of the
system activities
the identify part of the CI parses and analyse this report to
judge which activities are malicious
Bing Yuan Client-Side Honeypots

71. Motivation
The Client-Side Honeypot Overview
The CHP System The CI
Attack Patterns The CWSandbox
Future works
The Integration of CI and CWSandbox
the CWSandbox drives one IE instance as malware which can
be captured by the CI
the CI continuously crawls the URLs from the URL list using
this IE instance
in the meantime the system activities caused by visiting these
URLs are recorded by CWSandbox
the CWSandbox generates one summarized report of the
system activities
the identify part of the CI parses and analyse this report to
judge which activities are malicious
Bing Yuan Client-Side Honeypots

72. Motivation
The Client-Side Honeypot Overview
The CHP System The CI
Attack Patterns The CWSandbox
Future works
The Integration of CI and CWSandbox
the CWSandbox drives one IE instance as malware which can
be captured by the CI
the CI continuously crawls the URLs from the URL list using
this IE instance
in the meantime the system activities caused by visiting these
URLs are recorded by CWSandbox
the CWSandbox generates one summarized report of the
system activities
the identify part of the CI parses and analyse this report to
judge which activities are malicious
Bing Yuan Client-Side Honeypots

73. Motivation
The Client-Side Honeypot
The CHP System
Attack Patterns
Future works
Attack Patterns (1)
malwares use social engineering to disguise themselves, such
as ”svchost.exe”
redirect user’s network connections using e.g. invisible
”iframe”
malicious websites put their weblinks on the webpages of
other websites
conceal the source code using obfuscation method, even many
times
Bing Yuan Client-Side Honeypots

74. Motivation
The Client-Side Honeypot
The CHP System
Attack Patterns
Future works
Attack Patterns (1)
malwares use social engineering to disguise themselves, such
as ”svchost.exe”
redirect user’s network connections using e.g. invisible
”iframe”
malicious websites put their weblinks on the webpages of
other websites
conceal the source code using obfuscation method, even many
times
Bing Yuan Client-Side Honeypots

75. Motivation
The Client-Side Honeypot
The CHP System
Attack Patterns
Future works
Attack Patterns (1)
malwares use social engineering to disguise themselves, such
as ”svchost.exe”
redirect user’s network connections using e.g. invisible
”iframe”
malicious websites put their weblinks on the webpages of
other websites
conceal the source code using obfuscation method, even many
times
Bing Yuan Client-Side Honeypots

76. Motivation
The Client-Side Honeypot
The CHP System
Attack Patterns
Future works
Attack Patterns (1)
malwares use social engineering to disguise themselves, such
as ”svchost.exe”
redirect user’s network connections using e.g. invisible
”iframe”
malicious websites put their weblinks on the webpages of
other websites
conceal the source code using obfuscation method, even many
times
Bing Yuan Client-Side Honeypots

77. Motivation
The Client-Side Honeypot
The CHP System
Attack Patterns
Future works
Attack Patterns (2)
use different scripting languages, such as mixture of VBScript
and Java Script
use script code to directly operate on the local system, such
as using ”Scripting.FileSystemObject” object
malwares use various methods to create/execute/delete
themselves in the same time
malwares use rootkit technologies to hide themselves
Bing Yuan Client-Side Honeypots

78. Motivation
The Client-Side Honeypot
The CHP System
Attack Patterns
Future works
Attack Patterns (2)
use different scripting languages, such as mixture of VBScript
and Java Script
use script code to directly operate on the local system, such
as using ”Scripting.FileSystemObject” object
malwares use various methods to create/execute/delete
themselves in the same time
malwares use rootkit technologies to hide themselves
Bing Yuan Client-Side Honeypots

79. Motivation
The Client-Side Honeypot
The CHP System
Attack Patterns
Future works
Attack Patterns (2)
use different scripting languages, such as mixture of VBScript
and Java Script
use script code to directly operate on the local system, such
as using ”Scripting.FileSystemObject” object
malwares use various methods to create/execute/delete
themselves in the same time
malwares use rootkit technologies to hide themselves
Bing Yuan Client-Side Honeypots

80. Motivation
The Client-Side Honeypot
The CHP System
Attack Patterns
Future works
Attack Patterns (2)
use different scripting languages, such as mixture of VBScript
and Java Script
use script code to directly operate on the local system, such
as using ”Scripting.FileSystemObject” object
malwares use various methods to create/execute/delete
themselves in the same time
malwares use rootkit technologies to hide themselves
Bing Yuan Client-Side Honeypots

81. Motivation
The Client-Side Honeypot
The CHP System
Attack Patterns
Future works
Future works (1)
further improve the CHP system and expand filter patterns
test the CHP system in the Laboratory for Dependable
Distributed Systems at the University of Mannheim and the
Honeynet Organization
improve the email part, let it research the vulnerabilities of the
email client, this must be coordinated with CWSandbox which
can monitor activities such as opening emails or email
attachments
add the network control part
Bing Yuan Client-Side Honeypots

82. Motivation
The Client-Side Honeypot
The CHP System
Attack Patterns
Future works
Future works (1)
further improve the CHP system and expand filter patterns
test the CHP system in the Laboratory for Dependable
Distributed Systems at the University of Mannheim and the
Honeynet Organization
improve the email part, let it research the vulnerabilities of the
email client, this must be coordinated with CWSandbox which
can monitor activities such as opening emails or email
attachments
add the network control part
Bing Yuan Client-Side Honeypots

83. Motivation
The Client-Side Honeypot
The CHP System
Attack Patterns
Future works
Future works (1)
further improve the CHP system and expand filter patterns
test the CHP system in the Laboratory for Dependable
Distributed Systems at the University of Mannheim and the
Honeynet Organization
improve the email part, let it research the vulnerabilities of the
email client, this must be coordinated with CWSandbox which
can monitor activities such as opening emails or email
attachments
add the network control part
Bing Yuan Client-Side Honeypots

84. Motivation
The Client-Side Honeypot
The CHP System
Attack Patterns
Future works
Future works (1)
further improve the CHP system and expand filter patterns
test the CHP system in the Laboratory for Dependable
Distributed Systems at the University of Mannheim and the
Honeynet Organization
improve the email part, let it research the vulnerabilities of the
email client, this must be coordinated with CWSandbox which
can monitor activities such as opening emails or email
attachments
add the network control part
Bing Yuan Client-Side Honeypots

85. Motivation
The Client-Side Honeypot
The CHP System
Attack Patterns
Future works
Future works (2)
improve the integrity control part, through better
configuration and implementation, the integrity control
approach may also work very efficiently
the CWSandbox is not one open source project, so maybe we
can build one own real-time monitoring kernel
deepen the theoretical research of the client-side honeypot
which can help us better improve the CHP system
build one central repository which can be accessed through
project website or CI, this repository will store the malicious
URLs and their activities, all distributed users all over the
world can run the CHP system and submit malicious URLs
they found to this central repository
Bing Yuan Client-Side Honeypots

86. Motivation
The Client-Side Honeypot
The CHP System
Attack Patterns
Future works
Future works (2)
improve the integrity control part, through better
configuration and implementation, the integrity control
approach may also work very efficiently
the CWSandbox is not one open source project, so maybe we
can build one own real-time monitoring kernel
deepen the theoretical research of the client-side honeypot
which can help us better improve the CHP system
build one central repository which can be accessed through
project website or CI, this repository will store the malicious
URLs and their activities, all distributed users all over the
world can run the CHP system and submit malicious URLs
they found to this central repository
Bing Yuan Client-Side Honeypots

87. Motivation
The Client-Side Honeypot
The CHP System
Attack Patterns
Future works
Future works (2)
improve the integrity control part, through better
configuration and implementation, the integrity control
approach may also work very efficiently
the CWSandbox is not one open source project, so maybe we
can build one own real-time monitoring kernel
deepen the theoretical research of the client-side honeypot
which can help us better improve the CHP system
build one central repository which can be accessed through
project website or CI, this repository will store the malicious
URLs and their activities, all distributed users all over the
world can run the CHP system and submit malicious URLs
they found to this central repository
Bing Yuan Client-Side Honeypots

88. Motivation
The Client-Side Honeypot
The CHP System
Attack Patterns
Future works
Future works (2)
improve the integrity control part, through better
configuration and implementation, the integrity control
approach may also work very efficiently
the CWSandbox is not one open source project, so maybe we
can build one own real-time monitoring kernel
deepen the theoretical research of the client-side honeypot
which can help us better improve the CHP system
build one central repository which can be accessed through
project website or CI, this repository will store the malicious
URLs and their activities, all distributed users all over the
world can run the CHP system and submit malicious URLs
they found to this central repository
Bing Yuan Client-Side Honeypots

89. Vielen Dank f¨ r Ihre Aufmerksamkeit!
u